Stack Overflow
Stack Overflow

Questions tagged [always-encrypted]

Always Encrypted is a feature of Microsoft SQL Server 2016+ and Azure SQL Database, designed to protect sensitive data. It allows client applications to encrypt sensitive data without revealing the encryption keys to the database engine, so the data cannot be accessed either in flight on the wire or at rest on SQL Server.

Always Encrypted is a feature of Microsoft SQL Server 2016 and Azure SQL Database, designed to protect sensitive data. It allows client applications to encrypt sensitive data without revealing the encryption keys to the database engine, so the data cannot be accessed either in flight or at rest.

See MSDN for more details.

Encryption Keys

This is mainly focused on 2 Keys

  1. Column Master Key (CMK)
  2. Column Encryption Key (CEK)

CMK

Creates a column master key metadata object in a database. A column master key metadata entry that represents a key, stored in an external key store, which is used to protect (encrypt) column encryption keys when using the Always Encrypted (Database Engine) feature. Multiple column master keys allow for key rotation; periodically changing the key to enhance security. You can create a column master key in a key store and its corresponding metadata object in the database by using the Object Explorer in SQL Server Management Studio or PowerShell.

Read more here

CEK

Creates a column encryption key with the initial set of values, encrypted with the specified column master keys. This is a metadata operation. A CEK can have up to two values which allows for a column master key rotation. Creating a CEK is required before any column in the database can be encrypted using the Always Encrypted (Database Engine) feature. CEK's can also be created by using SQL Server Management Studio

Before creating a CEK, you must define a CMK by using Management Studio or the CREATE COLUMN MASTER KEY statement.

Read more here

Types of Encryption

  1. Deterministic Encryption
  2. Randomized Encryption

Deterministic Encryption

Deterministic encryption always generates the same encrypted value for any given plaintext value. Using deterministic encryption allows point lookups, equality joins, grouping and indexing on encrypted columns. However, but may also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column, especially if there is a small set of possible encrypted values, such as True/False, or North/South/East/West region. Deterministic encryption must use a column collation with a binary2 sort order for character column

Randomized Encryption

Randomized encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents searching, grouping, indexing, and joining on encrypted columns.

Read more here

299 questions
0
votes
0 answers

SQL Server Always Encrypted with the JDBC not working

I'm working on an enterprise application and for some security reason I have to enable Always Encrypted. DBA and Production IT team did what needed from their side: I can generate this script from using SQL server management studio under security ->…
M-BNCH
  • 393
  • 1
  • 3
  • 18
0
votes
1 answer

Always, but Always, Encrypted Azure SQL Database, how to achieve

Is there a way to have an always encrypted database? I mean no system admin, no one to be able to read the data. Once encrypted the data to stay encrypted forever. This is a database for an application with many customers (authentication done via…
zen
  • 79
  • 1
  • 9
0
votes
0 answers

SQL Server Always Encrypted w/ Secure Enclave - Key Management Strategy

I am looking into ways to build a data warehouse that would house confidential data for 1+ clients. The requirement is that our organization can never obtain access to the decrypted data. There would be a web application clients utilize to write…
jackie
  • 624
  • 2
  • 13
  • 35
0
votes
1 answer

Always Encrypted - Parameters

Have set up Always Encrypted for my table columns at server side. From a C++ client, I use the below connection string to connect to the database: CString connString = L"Driver={ODBC Driver 17 for SQL…
Amal
  • 21
  • 3
0
votes
0 answers

SQL Always Encrypted

I have set up column encryption(Always Encrypted) at my sql server side. I have a C++ client and am trying to insert values into the encrypted database columns. I am able to do so, if I used parameters in my query string just as how we can do from…
Amal
  • 21
  • 3
0
votes
0 answers

SQL Server AE issue in value encryption

I have applied AE on a SQL Server database at column with datatype of numeric(18,0). When I encrypt the data using SSMS the encryption of 154…
Amit Kumar
  • 21
  • 3
0
votes
0 answers

Encrypt an existing table column with SQL Always Encrypted with T-SQL

I have an existing empty table like this : TABLE [dbo].[Answer]( [Id] [uniqueidentifier] NOT NULL, [FirstName] [nchar](10) NULL, [LastName] [nchar](10) NULL, [Point] [int] NULL, [Comment] [nchar](10) NULL) then I create a CMK: CREATE COLUMN MASTER…
Ali.Rashidi
  • 1,284
  • 4
  • 22
  • 51
0
votes
0 answers

how to fix SQL Server Bulk Copy SQLServerException Source and destination schemas do not match

I have a springboot - Spark application that will inject a dataFrame into an SQL Server DB, the app was working fine before we decide to enable Alaway Encrypted for a couple sensible columns. Just after DBA configured the DB with Always Encrypted we…
M-BNCH
  • 393
  • 1
  • 3
  • 18
0
votes
0 answers

SQL Server always encrypted : stored procs recompiling

We are applying Always encrypted(AE) related to changes to stored procs. Suppose one such stored proc calls another 20 SPs. Each of those 20 SPs call another 5, and so on. Some of these SPs are decade old. Should all the stored procs needs to be…
VizdAVE
  • 21
  • 2
0
votes
1 answer

SQL Server 2017 Always Encrypted issue when joining on temp table

We are currently implementing Always Encrypted for some columns in our database, but we are hitting a limitation we cannot explain when joining with temporary tables. We looked at Microsoft documentation and looked at many articles, but we cannot…
Marco
  • 1
0
votes
0 answers

Entity Framework tries to use SQL Server secure enclaves when is not configured

I have a database with always encrypted in SQL Server Express. I migrated my SQL Server version from 2017 (v14) to 2019 (v15), in this new version there is a secure enclave option available for always encrypted that I'm not using. When I connect…
Eduardo Correal
  • 13
  • 1
0
votes
2 answers

EF Core 6 - Prevent querying on a specific column

Context EF Core 6 with some columns in the database encrypted with Always Encrypted Issue Those encrypted columns cannot be queried. In some cases, EF will throw exceptions; others are not. But in principal, we do not want to do the query on these…
kal
  • 198
  • 2
  • 9
0
votes
0 answers

Calling stored procedure in SSIS containing Azure Key Vault encrypted columns

I have the following stored procedure which work as expected when run it run it using the EXEC command below in SSMS. the CustomerAlternateKey column in both the [dbo].[DimCustomer] and dbo.TargetTable tables are encrypted using Always Encrypted…
lem
  • 149
  • 7
0
votes
1 answer

Wrapping SQL with Always Encrypted columns in a stored procedure

Using the AdventureWorksDW2017 database, I encrypted the dbo.DimCustomer.CustomerAlternateKey using deterministic encryption. I also created a target table called dbo.TargetTable where I also encrypted the dbo.TargetTable.CustomerAlternateKey column…
lem
  • 149
  • 7
0
votes
1 answer

Always encrypted provisioning CNG with powershell exception

I'm having a problem while making a powershell script for creation of Always Encrypted column encryption keys When I run these functions from the SqlServer powershell module, I get the following error. # $cngProviderName "Microsoft Software Key…
Sotem
  • 25
  • 5
1 2 3
19 20